3/18/2023 0 Comments Ip camera cloud streamingĠ0000200: ffff ffff ffff ffff ffff ffff ffff ffff. Ġ00001f0: ffff ffff ffff ffff ffff ffff ffff ffff. Ġ00001e0: ffff ffff ffff ffff ffff ffff ffff ffff. With valid credentials, an attacker can retrieve the configuration, as shown below: wget -qO- ffff ffff ffff ffff ffff ffff ffff ffff. Lrwxrwxrwx 1 root 0 22 Oct 27 02:11 system.ini -> /system/www/system.ini Lrwxrwxrwx 1 root 0 22 Oct 27 02:11 system-b.ini -> /system/www/system.ini Lrwxrwxrwx 1 root 0 23 Oct 27 02:11 network.ini -> /system/www/network.ini Lrwxrwxrwx 1 root 0 23 Oct 27 02:11 network-b.ini -> /system/www/network.ini Lrwxrwxrwx 1 root 0 30 Oct 27 02:11 factoryparam.ini -> /system/param/factoryparam.ini Lrwxrwxrwx 1 root 0 25 Oct 27 02:11 factory.ini -> /system/param/factory.ini authentication using credentials in URI ( ?loginuse=LOGIN&?loginpas=PASS).īy default, the web directory contains symbolic links to configuration files ( system.ini and system-b.ini contain credentials): /tmp/web # ls -la *ini.Was modified by the OEM vendor of the cameras (which resulted in the listed vulnerabilities). This HTTP server is in fact based on GoAhead and The HTTP interface is provided by a custom http server. Issuer=/C=US/O=Apple Inc./OU=Apple Worldwide Developer Relations/CN=Apple Worldwide Developer Relations Certification Authorityĭetails - CVE-2017-8225 - Pre-Auth Info Leak (credentials) within the custom http server Subject=/UID=/CN=Apple Production IOS Push Services: /OU=SQ6NNPBE2K/C=US telnet 192.168.1.107Ĭonnection backdoor account exists in the camera: root:$1$ybdHbPDn$ii9aEIFNiolBbM9QxW9mr0:0:0::/root:/bin/shĭetails - CVE-2017-8222 - RSA key and certificatesįriendlyName: Apple Production IOS Push Services: The complete list of 1250 affected camera models has been removed.ĭetails - CVE-2017-8224 - Backdoor accountīy default, telnetd is running on the camera. Thus, these cameras are likely affected by a pre-auth RCE as root: Update (Mar 16, 2017): Following the strong requests from a specific vendor, It can be used to execute the RCE as root. My tests have shown that the InfoLeak affecting the custom http server running on the camera affects at least 1250+ camera models. The vulnerabilities in the Cloud management affect a lot of P2P or "Cloud" cameras. CVE-2017-8223 - Misc - Streaming without authentication.CVE-2017-8225 - Pre-Auth Info Leak (credentials) within the custom http server.CVE-2017-8222 - RSA key and certificates.Which allow to execute root commands against 1250+ camera models with a pre-auth vulnerability. Specific development around GoAhead is responsible for the cause of vulnerabilities.īecause of code reusing, the vulnerabilities are present in a huge list of cameras (especially the InfoLeak and the RCE), GoAhead stated that GoAhead itself is not affected by the vulnerabilities but the OEM vendor who did the custom and The OEM vendors used a custom version of GoAhead and added vulnerable code inside. Interface is different for each vendor but shares the same vulnerabilities. So, cameras are sold under different names, brands and functions. Wireless IP Camera (P2) WIFICAM is one of the branded cameras. The buyer companies resell them with custom software development and specific branding. It seems that a generic camera is being sold by a Chinese company in bulk (OEM) and This camera is very similar to a lot of other Chinese cameras. The Wireless IP Camera (P2) WIFICAM is a camera overall badly designed with a lot of vulnerabilities. The Wireless IP Camera (P2P) WIFICAM is a Chinese web camera which allows to stream remotely. Then, the attacker can automaticaly bruteforce the credentials of cameras. The "Cloud" protocol establishes clear-text UDP tunnels (in order to bypass NAT and firewalls) between an attacker and cameras by using only the serial number of the targeted camera. TL DR: by analysing the security of a camera, I found a pre-auth RCE as root against 1250 camera models.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |